Monocypher

Changelog

2.0.1

2018/03/07

Followed a systematic pattern for the loading code of symmetric
crypto. It is now easier to review.

Tweaked Poly1305 code to make it easier to prove correct.

2.0.0

2018/02/14

Changed the authenticated encryption format. It now conforms to
RFC 7539, with one exception: it uses XChacha20 initialisation instead
of the IETF version of Chacha20. This new format conforms to
Libsodium's crypto_aead_xchacha20poly1305_ietf_encrypt.

0.6

0.5

2017/03/10

Fixed many undefined behaviours in curve25519, that occur whenever
we perform a left shift on a signed negative integer. It doesn't
affect the generated code, but you never know. (Found with Frama-C
by André Maroneze.)

Fun fact: TweetNaCl and ref10 have the same bug. Libsodium have
corrected the issue, though.

For those who don't comprehend the magnitude of this madness, the
expression -1 << 3 is undefined in C. This is explained in
section 6.5.7(§4) of the C11 standard.

0.4

2017/03/09

Fixed critical bug causing Argon2i to fail whenever it uses more
than 512 blocks. It was reading uninitialised memory, and the
results were incorrect. (Found by Mike Pechkin.)

Fixed an undefined behaviour in curve25519 (fe_tobytes()). It was
accessing uninitialised memory, before throwing it away. It didn't
affect the compiled code nor the results, but you never know.
(Found with Frama-C by André Maroneze.)

0.3

2017/02/27

Got the invariants of poly1305 right, put them in the comments.
There was no bug, but that was lucky (turned out the IETF test
vectors were designed to trigger the bugs I was afraid of).